Azure Monitor Agent overview

Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents. This article provides an overview of Azure Monitor Agent's capabilities and supported use cases.

Here's a short introduction to Azure Monitor video, which includes a quick demo of how to set up the agent from the Azure portal: ITOps Talk: Azure Monitor Agent

Consolidating legacy agents

Deploy Azure Monitor Agent on all new virtual machines, scale sets and on premise servers to collect data for supported services and features.

If you have machines already deployed with legacy Log Analytics agents, we recommend you migrate to Azure Monitor Agent as soon as possible. The legacy Log Analytics agent will not be supported after August 2024.

Azure Monitor Agent replaces the Azure Monitor legacy monitoring agents:

  • Log Analytics Agent: Sends data to a Log Analytics workspace and supports monitoring solutions. This is fully consolidated into Azure Monitor agent.
  • Telegraf agent: Sends data to Azure Monitor Metrics (Linux only). Only basic Telegraf plugins are supported today in Azure Monitor agent.
  • Diagnostics extension: Sends data to Azure Monitor Metrics (Windows only), Azure Event Hubs, and Azure Storage. This is not consolidated yet.

Install the agent and configure data collection

Azure Monitor Agent uses data collection rules, using which you define which data you want each agent to collect. Data collection rules let you manage data collection settings at scale and define unique, scoped configurations for subsets of machines. The rules are independent of the workspace and the virtual machine, which means you can define a rule once and reuse it across machines and environments.

To collect data using Azure Monitor Agent:

  1. Install the agent on the resource.

    Resource type Installation method More information
    Virtual machines, scale sets Virtual machine extension Installs the agent by using Azure extension framework.
    On-premises servers (Azure Arc-enabled servers) Virtual machine extension (after installing the Azure Arc agent) Installs the agent by using Azure extension framework, provided for on-premises by first installing Azure Arc agent.
    Windows 10, 11 desktops, workstations Client installer (Public preview) Installs the agent by using a Windows MSI installer.
    Windows 10, 11 laptops Client installer (Public preview) Installs the agent by using a Windows MSI installer. The installer works on laptops, but the agent isn't optimized yet for battery or network consumption.
  2. Define a data collection rule and associate the resource to the rule.

    The table below lists the types of data you can currently collect with the Azure Monitor Agent and where you can send that data.

    Data source Destinations Description
    Performance Azure Monitor Metrics (Public preview)1 - Insights.virtualmachine namespace
    Log Analytics workspace - Perf table
    Numerical values measuring performance of different aspects of operating system and workloads
    Windows event logs (including sysmon events) Log Analytics workspace - Event table Information sent to the Windows event logging system
    Syslog Log Analytics workspace - Syslog2 table Information sent to the Linux event logging system
    Text logs Log Analytics workspace - custom table Events sent to log file on agent machine

    1 On Linux, using Azure Monitor Metrics as the only destination is supported in v1.10.9.0 or higher.
    2 Azure Monitor Linux Agent versions 1.15.2 and higher support syslog RFC formats including Cisco Meraki, Cisco ASA, Cisco FTD, Sophos XG, Juniper Networks, Corelight Zeek, CipherTrust, NXLog, McAfee, and Common Event Format (CEF).

    Note

    On rsyslog-based systems, Azure Monitor Linux Agent adds forwarding rules to the default ruleset defined in the rsyslog configuration. If multiple rulesets are used, inputs bound to non-default ruleset(s) are not forwarded to Azure Monitor Agent. For more information about multiple rulesets in rsyslog, see the official documentation.

Supported services and features

In addition to the generally available data collection listed above, Azure Monitor Agent also supports these Azure Monitor features in preview:

Azure Monitor feature Current support Other extensions installed More information
Text logs and Windows IIS logs Public preview None Collect text logs with Azure Monitor Agent (Public preview)
Windows client installer Public preview None Set up Azure Monitor Agent on Windows client devices
VM insights Public preview Dependency Agent extension, if you’re using the Map Services feature Enable VM Insights overview

In addition to the generally available data collection listed above, Azure Monitor Agent also supports these Azure services in preview:

Azure service Current support Other extensions installed More information
Microsoft Defender for Cloud Public preview
  • Azure Security Agent extension
  • SQL Advanced Threat Protection extension
  • SQL Vulnerability Assessment extension
Auto-deployment of Azure Monitor Agent (Preview)
Microsoft Sentinel Sentinel DNS extension, if you’re collecting DNS logs. For all other data types, you just need the Azure Monitor Agent extension.
Change Tracking Change Tracking: Preview. Change Tracking extension Sign-up link
Update Management (available without Azure Monitor Agent) Use Update Management v2 - Public preview None Update management center (Public preview) documentation
Network Watcher Connection Monitor: Preview Azure NetworkWatcher extension Sign-up link

Supported regions

Azure Monitor Agent is available in all public regions and Azure Government clouds. It's not yet supported in air-gapped clouds. For more information, see Product availability by region.

Costs

There's no cost for the Azure Monitor Agent, but you might incur charges for the data ingested. For information on Log Analytics data collection and retention and for customer metrics, see Azure Monitor pricing.

Compare to legacy agents

The tables below provide a comparison of Azure Monitor Agent with the legacy the Azure Monitor telemetry agents for Windows and Linux.

Windows agents

Azure Monitor Agent Log Analytics Agent Diagnostics extension (WAD)
Environments supported
Azure X X X
Other cloud (Azure Arc) X X
On-premises (Azure Arc) X X
Windows Client OS X (Public preview)
Data collected
Event Logs X X X
Performance X X X
File based logs X (Public preview) X X
IIS logs X (Public preview) X X
ETW events X
.NET app logs X
Crash dumps X
Agent diagnostics logs X
Data sent to
Azure Monitor Logs X X
Azure Monitor Metrics1 X X
Azure Storage X
Event Hub X
Services and features supported
Microsoft Sentinel X (View scope) X
VM Insights X (Public preview) X
Microsoft Defender for Cloud X (Public preview) X
Update Management X (Public preview, independent of monitoring agents) X
Change Tracking X

Linux agents

Azure Monitor Agent Log Analytics Agent Diagnostics extension (LAD) Telegraf agent
Environments supported
Azure X X X X
Other cloud (Azure Arc) X X X
On-premises (Azure Arc) X X X
Data collected
Syslog X X X
Performance X X X X
File based logs X (Public preview)
Data sent to
Azure Monitor Logs X X
Azure Monitor Metrics1 X X
Azure Storage X
Event Hub X
Services and features supported
Microsoft Sentinel X (View scope) X
VM Insights X (Public preview) X
Microsoft Defender for Cloud X (Public preview) X
Update Management X (Public preview, independent of monitoring agents) X
Change Tracking X

1 To review other limitations of using Azure Monitor Metrics, see quotas and limits. On Linux, using Azure Monitor Metrics as the only destination is supported in v.1.10.9.0 or higher.

Supported operating systems

The following tables list the operating systems that Azure Monitor Agent and the legacy agents support. All operating systems are assumed to be x64. x86 isn't supported for any operating system.

Windows

Operating system Azure Monitor agent Log Analytics agent Diagnostics extension
Windows Server 2022 X
Windows Server 2022 Core X
Windows Server 2019 X X X
Windows Server 2019 Core X
Windows Server 2016 X X X
Windows Server 2016 Core X X
Windows Server 2012 R2 X X X
Windows Server 2012 X X X
Windows Server 2008 R2 SP1 X X X
Windows Server 2008 R2 X
Windows Server 2008 SP2 X
Windows 11 Client Enterprise and Pro X2, 3
Windows 10 1803 (RS4) and higher X2
Windows 10 Enterprise
(including multi-session) and Pro
(Server scenarios only1)
X X X
Windows 8 Enterprise and Pro
(Server scenarios only1)
X
Windows 7 SP1
(Server scenarios only1)
X
Azure Stack HCI X

1 Running the OS on server hardware, for example, machines that are always connected, always turned on, and not running other workloads (PC, office, browser).
2 Using the Azure Monitor agent client installer (Public preview).
3 Also supported on Arm64-based machines.

Linux

Operating system Azure Monitor agent 1 Log Analytics agent 1 Diagnostics extension 2
AlmaLinux 8.5 X3
AlmaLinux 8 X X
Amazon Linux 2017.09 X
Amazon Linux 2 X
CentOS Linux 8 X X
CentOS Linux 7 X3 X X
CentOS Linux 6 X
CentOS Linux 6.5+ X X
CBL-Mariner 2.0 X
Debian 11 X3
Debian 10 X X
Debian 9 X X X
Debian 8 X
Debian 7 X
OpenSUSE 15 X
OpenSUSE 13.1+ X
Oracle Linux 8 X X
Oracle Linux 7 X X X
Oracle Linux 6 X
Oracle Linux 6.4+ X X
Red Hat Enterprise Linux Server 8.6 X3
Red Hat Enterprise Linux Server 8 X X
Red Hat Enterprise Linux Server 7 X X X
Red Hat Enterprise Linux Server 6 X
Red Hat Enterprise Linux Server 6.7+ X X
Rocky Linux 8 X X
SUSE Linux Enterprise Server 15 SP4 X3
SUSE Linux Enterprise Server 15 SP3 X
SUSE Linux Enterprise Server 15 SP2 X
SUSE Linux Enterprise Server 15 SP1 X X
SUSE Linux Enterprise Server 15 X X
SUSE Linux Enterprise Server 12 X X X
Ubuntu 22.04 LTS X
Ubuntu 20.04 LTS X3 X X
Ubuntu 18.04 LTS X3 X X
Ubuntu 16.04 LTS X X X
Ubuntu 14.04 LTS X X

1 Requires Python (2 or 3) to be installed on the machine.
2 Requires Python 2 to be installed on the machine and aliased to the python command.
3 Also supported on Arm64-based machines.

Note

Machines and appliances that run heavily customized or stripped-down versions of the above distributions and hosted solutions that disallow customization by the user are not supported. Azure Monitor and legacy agents rely on various packages and other baseline functionality that is often removed from such systems, and their installation may require some environmental modifications considered to be disallowed by the appliance vendor. For instance, GitHub Enterprise Server is not supported due to heavy customization as well as documented, license-level disallowance of operating system modification.

Next steps